May 22, 2024

Do not block PowerShell, but configure it correctly

Do not block PowerShell, but configure it correctly

Cybersecurity authorities from the US, UK and New Zealand have advised companies and government agencies to do so Microsoft To properly configure the built-in Windows PowerShell command-line tool — but not to remove it.

Defenders shouldn’t disable PowerShell, a scripting language, because it’s a useful command-line interface for Windows that can help with forensics, incident response, and automation of desktop tasks. This comes from joint recommendation The National Security Agency of the US Espionage Service (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber ​​Security Centers of New Zealand and Great Britain.

Additionally, administrators can automate security tasks on the Microsoft Azure cloud platform. For example, users can type PowerShell commands to run Microsoft Defender antivirus under windows 10 and managing Windows 11.

However, PowerShell’s flexibility has also made it attractive to attackers, who have used it to remotely compromise Windows machines and even Linux systems.

“Cybersecurity authorities from the United States, New Zealand and the United Kingdom are recommending that PowerShell be properly configured and monitored rather than that PowerShell is completely removed or disabled,” the authorities said.

“This takes advantage of the security features PowerShell can provide, while making it less likely that malicious actors will use them undetected after gaining access to victim networks.

The scalability of PowerShell and the fact that it comes with Windows 10 and 11 gives attackers an opportunity to abuse the tool. This usually happens after the attacker gains access to the victim’s network through Windows or other software vulnerabilities.

See also  ▷ Discussion on the fifth anniversary of the inaugural session of the Fisheries Industries Department on “On Humankind…

However, PowerShell attacks have prompted some administrators to remove the tool from their devices, which the NSA says is a bad idea. This has prompted some network advocates to disable or remove the Windows tool. The NSA and its partners advise against doing so, the NSA and its partners said.

As the US Department of Defense notes, blocking PowerShell impairs the defensive capabilities that current versions of PowerShell can provide and prevents Windows components from functioning properly.

The tips align with Microsoft’s guidelines for using PowerShell and Microsoft’s advice for administrators to protect against PowerShell attacks. Microsoft acknowledged in 2020 that PowerShell is used by both off-the-shelf malware and attackers. “

“PowerShell is by far the most secure, transparent, and secure scripting or scripting language out there,” Microsoft said in a 2020 blog post.

New Zealand’s National Cyber ​​Security Center summarizes the advantages of using PowerShell:

Protect credentials in remote work in PowerShell

Network protection for remote connection PowerShell

Anti-Malware Scan Interface (AMSI) Integration

PowerShell is limited with application control

PowerShell also enables remote management capabilities using Kerberos or New Technology LAN Manager (NTLM) protocols. Kerberos is the main framework for Active Directory (AD), Microsoft’s identity service, and is the successor to NTLM implemented in Windows 2000.

Microsoft released PowerShell 7 in 2020, but version 5.1 comes with Windows 10 and later. The latest version is 7.2, which includes new security measures such as prevention, detection and authentication.

The authorities recommend “explicitly disabling and uninstalling” PowerShell 5.1, but do not make any recommendations for using PowerShell versions with Linux and macOS.

See also  Experts: The consequences of Brexit for many EU citizens

They also provide tips for network security, AMSI, and configure AppLocker / Windows Defender Application Control (WDAC) to configure PowerShell to prevent attackers from taking full control of PowerShell sessions.

The agencies highlight the features available in the latest versions of PowerShell, such as: b. Deep script block logging, instant copy, authentication mechanisms and remote access via Secure Shell (SSH)

The NSA said, “PowerShell is essential to the security of the Windows operating system, especially since newer versions have addressed previous limitations and concerns with updates and improvements.”

“Removing or improperly restricting PowerShell will prevent administrators and advocates from using PowerShell to support system maintenance, forensics, automation, and security. PowerShell must be properly managed and certified along with its management capabilities and security measures.”